Another calendar quarter is behind us, so it is once again time to wade into our spam traps and work out the latest SPAMPIONSHIP standings.

That's where we look at the sources of spam in order to calculate the Dirty Dozen spam sending countries.

If your country is on the list, we're not saying that you're spammers.

But we are saying that you are spam senders.

Spammers versus spam senders

There's a big difference, because spammers generally don't send their own spam in bulk any more.

That hasn't worked for a decade or so, because if you send 10,000,000 unwanted emails as fast as you can from the same server, or even the same data centre, you make an easily-identified target.

So 1,000,000 of the messages might get loose before either the data centre (if it cares, and reputable ones most definitely do) or the majority of your recipients, or both, say, "No more!"

Not only are you blocked from sending the remaining 9,000,000 emails from your truncated campaign, you probably can't use those same servers again for days, weeks, months, perhaps ever.

How spam is delivered

Enter the botnet, or robot network.

That's an unwitting collection of surreptitously co-operating zombie computers - in homes, at offices, in coffee shops, at the mall, by the beach - that regularly call home for instructions to servers that the criminals control.

The crooks can send each bot in the network a list of email addresses, and then command the entire botnet to start a giant spam campaign.

Using bots, those 10,000,000 spams can be sent, say, in 10,000 batches of 1000 emails at a time, presenting a much less obvious pattern to those who defend against spam. (And sticking those 10,000 bot-infected users with the cost of the bandwidth, if you don't mind.)

Why spam matters

I used the words "unwitting" and "surreptitious" above because, although some users may knowingly participate, the majority of botnet spam senders don't even realise they're doing it.

That's why we publish the SPAMPIONSHIP tables: not to lay wholesale accusations of cybercriminality against entire countries, but to raise awareness of something we've said a number of times recently, since it's Cyber Security Awareness Month:

If you don't make an effort to clean up malware from your own computer, you aren't part of the solution, you're part of the problem.

We're not pointing fingers here at anyone who ever made a mistake and ended up infected by malware, but we do want you to be mindful of the consequences of inaction.

For as long as you fail to do anything about spambot malware on your computer, you're actually helping the crooks to make money, and putting the rest of us, no matter how modestly, in harm's way.

The SPAMPIONSHIP tables

And with those firm-but-fair words behind us, here are the latest figures showing spam by volume on a country-by-country basis:

As you can see, the top of the table is surprisingly consistent, with the countries in the first five places having all been in the Dirty Dozen throughout the year.

Of course, you probably expected to see India and China in the list: they each have populations exceeding 1 billion people, so it would be surprising not to see them near the top.

Nor is is surprising that the USA is in the Number One spot yet again, this time sending nearly three times as much spam as second-placed Belarus.

After all, the US has 30 times the population of Belarus, and internet access is much more strongly established, so you would expect a higher proportion of Americans to have their own computers and to use the internet regularly.

It's when we turn the SPAMPIONSHIP into a per capita comparison that things get interesting:

Here, the numbers next to each country denotes the average spamminess per person compared to the USA.

In other words, we divided each country's spam total by its population, then divided every country's spam-per-person value by the figure for America.

Obviously, that makes US = 1.00, and tells us that the average computer in Belarus was eleven times more likely to send spam than if it were in the USA.

Israelis, whose propensity for sending spam sneaks the Middle Eastern country into twelfth place on chart for the first time this year, were 1.8 times as likely as Americans to be spam senders.

The per capita chart doesn't do any favours to small countries, which tend to hide near the bottom of volume-only lists, even if their computers are awash with zombie malware.

US neighbour The Bahamas, for example, made it to eighth spot, with double the likelihood of its computers spamming compared to the US.

Luxembourg got up to fourth spot, with a spammishness 2.7 times than of the US, up from sixth in Q2 and seventh in Q3.

→ We excluded countries with populations below 300,000 so small nations that experienced a one-off spam blip wouldn't confusingly shoot to the top. Bahamas and Luxembourg made the cut, having just over 300K and 500K inhabitants respectively.

What next?

In some ways, the SPAMPIONSHIP charts are just a bit of fun.

But the countries at the top of the per capita chart don't paint a good picture.

The Top Three, Belarus, Uruguay and Taiwan, have earned eight of the nine podium finishes this year.

The slave computers in the USA and other places are the victims, not the perpetrators. There's another issue, a large part of the USA spam is from European computers using USA hosting, ergo "USA spam".

I track miscreant computer IP's 7 days a week, block them in my server, see the patterns and watch them change.

Content scraping and hack attempts on websites mirror & run parallel to spamming, it's the same bunch of thugs. trying to make money.

You didn't point a finger, so I will: The most aggressive bad guys in the world today are China. A couple of years back it was Russia. It's also a decent bet that Nato cyber-intrusion stirred up the Chinese hornets nest.

For two years I never saw a Chinese bot, Russia was 80% of the traffic. With the worst couple/few million of the Ruskies blocked, I don't see them very often now.

China? Coming in droves, 10 to 1 over other countries. It started as a trickle a year ago, now they "storm the razor wire" like the Viet Cong used to do.

It's really not any honor to be #2 in the per capita stat, but it doesn't surprise me at all.
ITSec and awareness as a whole are extremely disregarded in my country. People are not conscious about cyber-risks, or they don't even mind.
It's an attitude.
I've been cruzading for this, trying to take "the Word" and "evangelize" as much as I can, but sometimes I feel it's a lost cause.

Even if the maths is right, this is an uninteresting analysis. Per capita ratios don't account for computer usage in a given nation so the numbers are skewed towards places with high personal computer usage and low population.

* Computer usage, or internet penetration - call it what you will - is terribly hard to get convincing figures for. (Try it and see how variable the claims are.)

* The numbers aren't skewed towards places with low populations. Firstly, they are calculated per capita, so popluation is effectively divided out, and secondly, as explained above, countries places with *very* low populations - under 300K - were omitted. So if there is any skew it is *away* from unpopulated countries, not towards them.

* Places with high personal computer usage tend to be richer, developed economies with a longer history of internet usage. So if they appear higher in the charts than you might like, maybe that will urge the users to use their greater riches/economic development/internet experience to lead the way in removing malware and zombies?

Oh. A fourth point. What you you mean to imply when you say "even if the maths is right"? Are you questioning my ability to do long division, or is there something else that piqued your uninterest?

Hello Paul,
Can you tell me Uruguay's position in the ranking "Countries per Volume"?
How is the Spam volume calculated?
We used to be (Uruguay) an important SPAM exporter in the WWII, so..;(
Thank you.

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too.
Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009.
Follow him on Twitter: @duckblog